I'm not familiar with Netscreen . . . . . I'd say try unique FQDNs for each
tunnel . . . . . . beyond that I'd have no idea besides double checking the
IPs for local/remote to make sure they are going the right direction . . . .
. . .
David Z
----- Original Message -----
From: "Kenman Wong" <kenman dot wong at iaspec dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Thursday, March 02, 2006 8:45 PM
Subject: Re: [m0n0wall] Hub-And-Spoke VPN
> Hi,
>
> I've just started reading this post and I am asked to configure a
> hub-spoke VPN for our offices. We have 3 offices location with the central
> office having static IP and the two branch offices using dynamic IPs.
>
> Hub LAN : 10.1.x.x
> Spoke #1 LAN : 10.11.x.x
> Spoke #2 LAN : 10.21.x.x
>
> I only use M0n0wall on the two Spokes while the Hub is a Netscreen 100
> device. I can get both MW's and the NS-100 to connect an IPsec tunnel
> between each other. Once I create and start the second set of tunnels to
> route traffic from Spoke #1 to Spoke #2, both tunnels will close and they
> fail Phase 1 negotiation. My NS-100 tells me about not finding the correct
> Phase 1 scheme. My guess is NS-100 gets confused which tunnel it is
> negotiating with.
>
> So if we do the second set of tunnels, do we create a tunnel with an
> entirely different Pre-shared key/secret? How about the My Identifier? I
> use "User FQDN" followed by an email address on the MW's with Aggressive
> negotiation. Does the second set of tunnel must use a different "User
> FQDN"?
>
> cheers,
> Kenman
>
>
> Dan Firac wrote:
>> Hello all,
>>
>> Can m0n0wall be configured for a Hub-And-Spoke VPN with communication
>> between spokes?
>>
>> TIA,
>> Dan.
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>